Akismet XSS Vulnerability

A vulnerability in Akismet emerged last week and because Akismet is one of the most widely used plugins for WordPress, we wanted to bring it to your attention.

Akismet is a comment spam filter for WordPress and in general, it does a great job. The Akismet team announced on their blog last week that a cross site scripting (XSS) vulnerability had been discovered in all versions of Akismet since 2.5.0.

The vulnerability allows an attacker to post a comment on a WordPress site which will execute javascript in the WordPress admin console. This is a typical XSS vulnerability pattern and one of the attacks it enables would allow an attacker to steal a WordPress administrator’s cookies and gain administrative access to a WordPress website.

There is no evidence that the vulnerability has been exploited in the wild. The Akismet and WordPress teams immediately took the following actions:

• They released updates for all affected versions of Akismet.
• The WordPress.org team issued an automatic update of the Akismet plugin on affected sites. If you noticed that your WordPress site was automatically upgraded to the newest version of Akismet, that is why.
• The Akismet team modified their API so that if a hacker did try to exploit a vulnerable version of Akismet, their API would block the attack by filtering out the comment the hacker tried to post. What this means is that as soon as the vulnerability was discovered and the Akismet team made this change, even vulnerable versions of Akismet were no longer exploitable.

Kudos to the Akismet team for responding to this so rapidly and comprehensively. If you’re running Akismet, we recommend you sign into your WordPess site and make sure that Akismet has been updated to the newest version.